As irritating as a real case of the crabs can be, organizations now have to deal with GandCrab v4 – a more dangerous and invasive newly released strain of the notorious ransomware.
If you don’t recall, the industry first saw GandCrab as a ransomware kit purchased by individuals and traditionally embedded as part of BitTorrent downloads, etc. Relatively benign in today’s world, GandCrab only really works in environments where security is completely lacking (e.g. no antivirus, as AV will easily spot this), and where the existing patch (that has been out since May of 2017) hasn’t been applied.
Even so, what makes this new strain of GandCrab so interesting is some features not previously seen:
- It no longer needs a C2 server
- It functions without Internet access
- It can spread via the SMB exploit EternalBlue
- It appears to hunt for unpatched machines
So, what was once a laughable piece of ransomware now has some power in its’ pincers.
So, who’s the most at risk to catch the GandCrabs? Anyone still running Windows XP or Windows 2003. While Microsoft’s patch is available for older operating systems (with the exception of Windows 2000), many AV solutions no longer support these older OSes, making them prime targets for this new and improved ransomware variant.
There are some very obvious ways to avoid getting hit by GandCrab v4:
- Block download sites, BitTorrent, etc.
- Disable access to USB storage devices
- Keep AV definitions up to date (keeping in mind the potential lack of support for older OSes)
- Limit or restrict Internet access from older machines without AV
- Disable SMB1 – the key to EternalBlue working. It’s an older SMB protocol, so if you’re not using XP or 2003, you can disable it via Group Policy
- And, because users can still invoke this as an attachment, educate users on being mindful of email attachments and links via security awareness training.
UPDATE: Bitdefender has a decryption for this strain: https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/